Netscaler HowTo Guides

Common Configuration HowTo guides

The NetScaler HowTo Guide enable administrators to get NetScaler up and running by providing instructions for common configuration scenarios and some not so common ones. The more than 50 guides cover everything from how to block security attacks like Heartbleed to how to configure quotas on CGNAT. By using the HowTo Guides you can get your NetScaler up and running quickly and tune it to your particular application needs without having to dig through lengthy documentation. Each guide covers a particular topic and gets right to the point. The guides are downloadable in PDF format for easy use on any device.

How to configure Storefront-based authentication?
There are scenarios where administrator would want to use Storefront authentication service as the authentication mechanism for users logging on to NetScaler Gateway. This guide helps in configuring Storefront based authentication for these use cases.

How to modify NAT IP selection algorithm in deterministic NAT?
CGNAT logging is significantly reduced in Deterministic NAT as logging in this case happens at the time of configuration as mappings between the private client IP and public NAT IP is performed at the time of configuration. This guide helps in understanding different NAT IP selection algorithm in Deterministic NAT available in NetScaler and also provides inputs on how to modify the same.

How do I better user access security in NetScaler MAS?
A system like NetScaler MAS is accessed by many administrators and it is important that some user access security aspects are taken care of to ensure the MAS system is protected. Here are some of the things an administrator can configure/enable to better MAS user access security.

How do I perform Authorization using advanced policy expressions in NetScaler?
Advanced policy expressions provide a rich set of expressions like body based, DNS based expressions to administrators compared to older classic ones. How do I set maximum failed login attempts and account lockout period on NetScaler Gateway? This guide will show an administrator how to set maximum login attempts and account lockout period for invalid login tries to NetScaler Gateway. For example, the admin wants to limit login attempts to 3 times after which the account to gets locked for 30 minutes.

How to configure persistency sharing across different vserver types
This document explains how to configure control and data traffic to be handled by the same server. For example in Telco environment, Gateway GPRS Support Node (GGSN) handles both the control and data traffic. It is ideal to send both the control and data traffic of a subscriber to the same GGSN.

How to enable TCP Fast Open in NetScaler?
TCP Fast Open (TFO) is a mechanism in TCP connection establishment process, which helps to speed up the opening of the connections and data flow. It allows data to be carried during the initial TCP connection handshake. This guide will throw light on how to enable TCP Fast Open and when it should be enabled in NetScaler.

How to enable Subscriber aware session termination in NetScaler?
In today’s environment, subscribers who goes to internet through Large Scale NAT (LSN, also called Carrier Grade NAT—CGNAT) terminates connections and creates new connections frequently. In such a dynamic environment, it is important for the CGNAT device to identify if the subscriber session is closed and free the resources allocated for the specific subscriber session. This guide will provide information on how to enable subscriber aware session termination in NetScaler.

How to use DS-Lite in NetScaler?
For successful migration to the IPv6 network, service providers need to deploy IPv6 without impact in their network. DS-Lite is one of such transition mechanism which allows the service provider to deploy an IPv6-only infrastructure in their network, and IPv4 traffic goes through the IPv6 infrastructure through the use of tunneling. This guide will throw light on the use case for DS-Lite and how to configure NetScaler as AFTR in DS-Lite environment.

How to configure a NetScaler appliance for Nested Active Directory Group Extraction of LDAP
Some policies, such as authorization, session, and traffic policies, can be applied to a session on the basis of the user’s group membership (for example, to allow or deny an access to a certain resource). The credentials of a user attempting to log on to NetScaler Gateway are sent to the Active Directory for validation. If the user name and password are valid, the Active Directory sends the user attributes to the NetScaler appliance. This guide aims to configure the NetScaler appliance for Nested Active Directory Group Extraction

How to configure a NetScaler appliance for Active Directory Group Extraction by using LDAP
Some policies, such as authorization, session, and traffic policies, can be applied to a session on the basis of the user’s group membership (for example, to allow or deny an access to a certain resource). The credentials of a user attempting to log on to NetScaler Gateway are sent to the Active Directory for validation. If the user name and password are valid, the Active Directory sends the user attributes to the NetScaler appliance. This guide aims to configure the NetScaler appliance for Active Directory Group Extraction

How to autoprovision a NetScaler VPX instance on OpenStack Nova
To support on-demand consumption model of the OpenStack clouds, NetScaler MAS supports on-demand autoprovisioning of NetScaler VPX instances on OpenStack Nova. This guide helps with the configurations to be done on the MAS and commands to run on the OpenStack.

How to debug OpenStack Integration
When a NetScaler is integrated with OpenStack using MAS, lot of API calls are called between these components, in case of errors during these API calls, MAS request/tasks helps to debug the issue. This guide helps to understand the usage of request/tasks option in the MAS.

How do I upgrade a fleet of NetScaler appliances using NITRO API?
Administrators are trying to automate NetScaler configuration and monitoring, so that they can upgrade their complete fleet of NetScaler appliances in one single go. This guide helps on the usage of API calls using which administrators can automate the upgrade or downgrade of NS devices

How do I Content Switch based on User-Agent
NetScaler can be configured to redirect clients to specific set of servers based on client's unique capabilities and needs. User-agent is used to identify and categorize different client. This guide details the steps to be configured on NetScaler to redirect clients based on User-agent

How to connect to ADFS 3 0 from NetScaler ADC load balancer
Microsoft ADFS 3.0 mandates clients to send Server Name Indication (SNI) extension in client hello. NetScaler now supports SNI on backend connections and can insert server name configured on SSL service. This guide details the use cases of SNI on backend and configuration example.

How do I filter traffic using DNS lookup in NetScaler ADC load
Traditionally Access Control Lists (ACLs) have provided a strong layer of security based on IP and port information. In today's layer 7 network world, IPs may not be fixed or known in advance. NetScaler allows adding ACLs with domain names thus providing advanced security functionality.

How do I disable client choices in NetScaler Gateway
Client choices are the logon choices received by a user who logs on to a NetScaler Gateway. These choices can be determined by creating a session policy and profile. NetScaler Gateway gives administrators an option to disable these client choices by modifying the session profile so that users are not directed to select a choice every time they login to the Gateway.

How to use SNIP for authentication(AAA) server communication
Authentication server communication on NetScaler is by default done using the NetScaler IP (NSIP). So, apart from it being used for management purposes, it is also used as a source IP and similar AAA protocols. But, in some scenarios NSIP cannot be used so, NetScaler gives the ability to a subnet IP (SNIP) to be used as a Source IP for traffic that is sent to the authentication server instead of an NSIP.

How to configure ICA Proxy Connection Termination upon AAA Session Time Out
AAA session is established once a user has been authenticated and logged in to the NetScaler Gateway. Administrators can configure AAA session timeouts via NetScaler GUI and CLI. ICA connections are the sessions on the XenApps/XenDesktops environments. NetScaler gives administrator an option to kill ICA connections the moment a user session timeouts.

How to limit one session per user on NetScaler Gateway
Administrators can use a session policy or the global NetScaler Gateway settings to control whether or not intranet IP addresses are assigned during a user session. Administrators can define the IP address pool options to ensure that at any point in time a given user can only have one active session with NetScaler Gateway.

How do I monitor NetScaler MAS resource consumption
Administrators may want to proactively monitor MAS resource consumption to understand whether the usage numbers are well in control and as expected. This guide includes details on how MAS resource consumption can be monitored.

How to use policy based TCP profile using AppQoE in NetScaler
There is a need to change TCP profile based on traffic going through the system. Policy based TCP profile in NetScaler helps us to allocate TCP profiles based on attributes in traffic going through the system. This guides helps in understanding policy based TCP profile in NetScaler with examples.

How to use Port Control Protocol in NetScaler
Port Control Protocol commonly referred as PCP enables applications and equipment to read/write explicit mappings between an external IP address, protocol and port, and an internal IP address, protocol and port. These explicit mappings allows inbound communication to reach the hosts behind a NAT or firewall. This guide provides information on how to enable PCP in NetScaler.

How to enable Connection Mirroring for RNAT traffic in NetScaler
Connection Mirroring / Session Synchronization enables NetScaler to duplicate connection and persistence information to a standby system in a HA pair. This guide helps in understanding the need for connection mirroring for RNAT and guides in configuring the same in NetScaler.

How to enable compact logging for CGNAT in NetScaler
Compact format is the technique of reducing the amount of log by using a notational change involving short operational codes for the events and protocol names. This guide helps in understanding the Compact logging usecase and helps in enabling compact logging in NetScaler.

How do I create a Placement policy
In a Multi-tenant environment like OpenStack cloud, when NetScaler resources are being allocated there could be a requirement to allocate NetScaler resources based on subnet, HTTP request header, or any other property of a pool. Placement policy in the service package of MAS helps to fulfill this requirement. This guide helps to configure the Placement policies in MAS.

How do I create a Service Package in NetScaler MAS
When different cloud tenants/applications try to consume NetScaler resources through OpenStack Cloud, SLAs defined in Service Packages are used by NetScaler MAS to allocate NetScaler resources. This guide helps to configure the Service Packages in NetScaler MAS.

How to add OpenStack tenants to NetScaler MAS
In an OpenStack cloud if enterprise wants to provide LBaaS (using NetScaler) for selective tenants, they can add those tenants to the NetScaler MAS and only those tenants can be added to the Service packages in MAS. This guide helps with the process of adding OpenStack tenants to MAS.

How can ISPs log subscriber control plane information using NetScaler
With surge in mobile data usage in recent years, a huge amount of control plane traffic flows through the ISP network which needs to be logged. This logging of data primarily helps ISPs in traffic analysis and mass surveillance. This adds value to service providers by helping them to debug failures by identifying events that lead to failure and most importantly helps identifying subscribers who used their services. This guide speaks about how NetScaler can log subscriber information.

How do I generate a trace for a specific Admin Partition
While managing an application, the admin may need to take packet trace on NetScaler for any troubleshooting purpose. If the NetScaler has admin partitions, it is important that the trace can be taken within Partition wherein it should not capture any packets which do not belong to the partition. This guide helps a user generate such a trace, which is specific to a partition.

How do I monitor and manage changes on NetScaler using Command Center
Changes done on NetScaler can be easily monitored and managed using the Change Management feature in Command Center. By following the steps given in this guide, user can track any unwanted changes to his/her NetScaler configuration and take necessary measures to get it back to the desired state/configuration.

How do I optimize Syslog Maintenance on Citrix Command Center
Command Center (CC) can act as a Syslog Server. Syslog consume a lot of storage space and may lead to storage space issues on CC if not configured optimally. This guide helps the user optimally configure Command Center as a syslog server, which would make syslog maintenance on Command Center a smooth activity.

How do I select TCP congestion control algorithm in NetScaler
First 20 years of internet had simple applications which used simpler networks with less heterogeneity and speed. With applications becoming much more diverse and demanding the networks became complex and TCP congestion control which worked earlier gradually became unsuitable. Congestion control methods needed tinkering to adapt to new complex networks and evolved gradually over time. This guide speaks about TCP congestion control algorithms supported by NetScaler and how to select the right algorithm for your network.

How do I setup RSA keys on NetScaler
RSA is one of the widely used Public Key cryptosystem used for encrypted data exchange. This guide throws light on the advantages, disadvantages of using RSA key and how to setup RSA keys in NetScaler

How do I suppress Command Center alarm actions
Alarm triggers are an important alerting feature popularly used by Command Center users to receive important notifications but receiving alarm trigger related notifications during a maintenance activity can get annoying and overwhelming. By following the simple steps given in this guide, user can configure such alarm triggers that will notify user only during necessary/appropriate time periods.

How do I upgrade NetScaler using Command Center
The NetScaler upgrade via. Command Center is a simple process. By following the steps given in this guide, user can upgrade all his/her NetScaler ADC device deployments in one go and can also keep a closer look at the execution status/logs.

How to create your own TCP Profile in NetScaler
A TCP Profile is a collection of TCP parameters like TCP Flavor, TCP timers, Window parameters, Buffer parameters, Multipath TCP and other related parameters which offers flexibility and ease of configuration. This article throws light on how to create your own TCP Profile in NetScaler.

How to handle certificate expiry on NetScaler
An SSL certificate is valid for a specific period of time. A typical deployment includes multiple virtual servers that process SSL transactions, and the certificates bound to them can expire at different times. This guide speaks about handling certificate expiry on NetScaler.

Generic NetScaler FAQs
This guide details on how to upgrade NetScaler, where to find latest release notes, details about Safe Harbor builds and where to find security updates for NetScaler.

How do I block FREAK on NetScaler
Freak attack is an SSL/TLS vulnerability that allows intruders to intercept HTTPS communication between a client and a server and forces them to use weak encryption. This guide throws light on how to block FREAK attacks on NetScaler. It also gives information on versions of NetScaler Service Delivery Appliance Service VM (SVM) where the vulnerabilities are removed.

How do I block Heartbleed on NetScaler
Heartbleed is a bug identified in OpenSSL’s implementation of TLS heartbeat extension which allows intruders to get information from the server’s memory thereby revealing potential user data which was assumed to be safe using TLS. This article describes how Heartbleed functions and it provides information on how NetScaler is immune to Heartbleed vulnerability.

How do I block POODLE on NetScaler
Using POODLE attack an intruder can force a website to downgrade from TLS 1.0 to SSL 3.0 by negotiating to use SSL 3.0. It thereby utilizes a flaw that was discovered in SSL 3.0 to intercept the data in transit. This article describes how POODLE/POODLE2 attack can be defended against by using NetScaler.

How do I configure Split Tunnel on Gateway
The guide details how to configure the split tunnel feature on NetScaler Gateway that can be used to direct traffic that is bound for the Internet away from the VPN tunnel to the data center, thus saving resources on the VPN.

How do I configure Unified Gateway
The guide elaborates the steps involved in setting up Unified Gateway to unify remote access for all enterprise, web, cloud, SaaS and Citrix applications into a single end-to-end solution.

How do I do HSTS on NetScaler
HSTS is used protect websites against various attacks like SSL strip, Cookie Hijacking, Downgrade attack etc. This article explains how various attacks can be executed using man-in-the-middle spoofs and how HSTS works to defend against them. The article also provides information on how HSTS can be enabled in NetScaler.

How do I remove legacy ciphers on NetScaler
This article provides input on good practices to be followed while selecting ciphers, by not choosing legacy ciphers with vulnerabilities and it gives instructions on how to remove these legacy ciphers from NetScaler.

How do I remove RC4 ciphers in NetScaler
RC4 is an encryption algorithm having some vulnerability at initial stages. The first few bytes of output reveals information about the key which allows intruder to gain access to sensitive information. The articles explains how to remove RC4 ciphers in NetScaler.

How do I setup a DH Key on NetScaler
Diffie-Hellman key exchange is a method for sharing a secret between two entities which have no prior knowledge of each other. It can be used for encrypted communication in order to exchange sensitive information in a public channel. This article provides information on how to setup Diffie-Hellman key on NetScaler.

How do I setup SSL profile on NetScaler
An SSL profile is a collection of SSL parameter settings which offers ease of configuration and flexibility. This article speaks about how one can setup SSL profile on NetScaler.

How do I upload PFX certificates on NetScaler
PFX is a format for storing a server certificate or any intermediate certificate along with private a key in one encrypted file. This article explains how to upload PFX certificates on NetScaler.

How to accomodate hairpinning behaviour in NetScaler
Hairpinning is a special scenario with respect to CGNAT. It allows the packets which arrive at the NAT from a private network to be translated and looped back to the private network without needing to go through the public network. This guide explains the concept of hairpinning and how it is handled in NetScaler.

How to configure CGNAT Deterministic NAT on NetScaler
Deterministic NAT is a type of configuration under carrier-grade NAT (CGNAT) where in there is a pre-determined mapping between the subscriber IP and NATIP. Such a configuration helps reduce the log volume and the cost associated with logging infrastructure needs. This guide explains how Deterministic NAT can be configured using NetScaler.

How to configure CGNAT EIM and EIF on NetScaler
Endpoint-independent mapping (EIM) and endpoint-independent filtering (EIF) are features under carrier-grade NAT (CGNAT). EIM & EIF allow private users to have a stable external (NAT) IP address and Port (for a period of time) that external users can use to connect. This guide explains the concept of EIM and EIF and how it can be configured using NetScaler.

How to configure CGNAT Static NAT on NetScaler
Static NAT is a feature in CGNAT which allows a user to opt for creating a static mapping between a subscriber IP/port and a NAT IP/port. Such a configuration enables Internet hosts to reach a particular internal service by ensuring that traffic from a specific subscriber IP address and port always gets the same NAT IP address and port. This guide explains the concept of Static NAT and how it can be configured using NetScaler.

How to configure healthcheck monitors on NetScaler
This guide helps a user configure healthcheck monitors on NetScaler. Monitors check the availability of the backend servers and thus help in making effective real time routing decisions related to the traffic flowing through the NetScaler.

How to configure PFS on NS v3
Perfect Forward Secrecy (PFS) ensures protection of current SSL communications even if the session key of a web server is compromised at a later time. This guide explains the concept of PFS and how to configure it on NetScaler.

How to configure Quotas in CGNAT on NetScaler
Port Quotas/Session Quotas are features related to carrier-grade NAT (CGNAT). They help limit the number of NAT ports/sessions per subscriber to ensure fair distribution of resources among users. This guide explains how to configure such quotas on NetScaler.

How to configure SNI on NS
Server Name Indication (SNI) is an extension of the TLS protocol that enables a webserver to host multiple DNS hostnames on a single IP address. This guide explains the concept of SNI and how to configure SNI on NetScaler.

How to enable SSL Client Auth on NetScaler
SSL Client authentication lets you authenticate the users who are trying to gain access to resources protected over SSL. This guide helps explains how to configure SSL Client Authentication on NetScaler.

How to enable syslog over TCP in Netscaler
In case of logging significant events, the syslog messages needs to be transported over a reliable channel for it to be stored safely on a server. This necessity paved the way for syslog over TCP. This article provides information on how to enable syslog over TCP in NetScaler.

How to log MSISDN in LSN logging
In order to track subscriber activity MSISDN, which is the primary key for uniquely identifying a subscriber in a UMTS/GSM, network needs to be logged for every subscriber session. This article speaks about how to enable logging of MSISDN in LSN logs in NetScaler for tracking user session activities.

How to Setup ECC on NS
Elliptic Curve Cryptography (ECC) is an asymmetric public key cryptography method based on elliptic curves over finite fields. It is especially useful in a mobile (wireless) environment or in an interactive voice response environment. This guide explains how to configure ECC on NetScaler.

How to Setup Self Signed Cert on NS v3
A Self-signed SSL Certificate (mostly used for test purposes) is needed to be able to test NetScaler’s SSL Offloading feature internally (in a non-production environment). This guide helps you to set up the self-signed certificate on NetScaler.

What is SSL profile on NetScaler
SSL profile contains Ciphers, ECC curves and SSL parameters which gives a myriad of combinations and options. This article explains the different types of SSL profiles and provides information on the list of parameters present in these profiles.

Note: Citrix account credentials are required to access certain SDK content. If you do not have a Citrix account, please complete the Developer Registration process.